This blog covers the key takeaways from our webinar “Software Supply Chain Secrets: The Weak Links Attackers Exploit”. Watch the full webinar here.
Software supply chain risks have grown dramatically as organizations rely on more open-source components, external packages, and automated development pipelines. Small gaps that once felt harmless now carry real consequences, especially as dependencies grow deeper and harder to verify.
A clear example of this shift was the recent npm Shai-Hulud worm and Shai-Hulud 2.0, which spread through compromised packages and impacted thousands of downstream projects in a matter of hours. Incidents like this make one thing clear: supply chain weaknesses no longer stay contained; they cascade through entire ecosystems.
With 70–90% of modern software made up of open-source components, most of which developers never see directly, small issues can quickly become big exposures. Yet only 15% of organizations feel confident in how they manage that open-source risk. With 70% of malicious AI attacks expected to target supply chains by 2025, identifying weak links in the software supply chain is now essential.
For engineering and security teams, the benefit is simple: knowing where these weak spots are means fewer surprises, faster response times, and a much lower chance of ending up in the next supply chain headline.
SBOMs Are No Longer Optional
To manage software supply chain risk and respond to vulnerabilities, organizations need a clear view of what’s in their software stack. The foundation of this visibility is the SBOM (software bill of materials), which creates the transparency required to understand component risk and act quickly when issues arise.
An SBOM is defined as a detailed inventory of all closed and open-source components, licenses, and dependencies used in an application. This inventory provides essential data for transparency, compliance, and risk management.
What isn’t vulnerable or malicious today can easily become so tomorrow. Because vulnerabilities are uncovered continuously, including in older versions, ongoing monitoring and inventory are required.
George PrichiciVP, Products, OPSWAT
SBOM vs. SCA
One important thing is the distinction between SBOM and SCA (Software Composition Analysis). The SBOM is the inventory, or a list of components. SCA evaluates whether any of those components are vulnerable, outdated, or risky. Together, they give organizations the insight needed to make informed decisions, respond more quickly to security issues, and strengthen overall risk management.
| Category | SBOM | SCA |
|---|---|---|
Purpose | Inventory of components |
Identify vulnerabilities in components
|
Risk Coverage | Compliance & visibility | Security risks, CVEs, runtime risk |
Timing | Pre-deployment / procurement | Continuous / build & runtime |
Global movements, driven partly by attacks like SolarWinds, now require SBOMs, with regulatory pushes coming from entities like CISA, NSA, and NIST, as well as the EU and NATO allied countries making SBOM transparency no longer optional, but a fundamental expectation for any software vendor.
The 7 Critical Weak Links Attackers Exploit
The velocity of modern development, coupled with heavy reliance on third-party and open-source code, has introduced severe vulnerabilities. Threat actors are exploiting seven primary weak links:
1. Open Source and Dependency Risk
When developers prioritize speed, they often use large open-source libraries without a full code review. A single component may introduce additional transitive dependencies. If you only monitor the top level, you can miss malicious code injected into those hidden transitive dependencies.
This pattern is something we continue to see across open-source ecosystems. One compromised package can cascade through dependency chains and reach millions of downloads before anyone notices. A recent npm supply chain attack involving crypto-malware highlights exactly how this happens in practice.
Best practices:
- Scan all open-source packages and their full dependency chains to identify vulnerabilities, outdated components, or hidden malware before they reach your codebase.
- Continuously monitor dependencies over time, since safe components can become risky as new CVEs or malicious updates appear.
- Use trusted registries and verify package integrity to ensure the packages you download haven’t been tampered with.
- Apply policies that flag or block risky licenses so incompatible or viral license terms don’t slip into your builds.
- Delay using newly published packages until they've been vetted, reducing the chance of pulling unreviewed or malicious releases into your environment.
2. Licensing Risk
Licensing issues now affect engineering as much as legal. Viral licenses, such as the GPL, can force your resulting application to be published under the same license, potentially causing your company to lose its own Intellectual Property (IP). Continuous monitoring is necessary because license terms can change, even for older, previously compliant versions.
Best practices:
- Use an automated license detection tool to flag high-risk or incompatible licenses early in development. A deeper explanation of why this matters is outlined here: The Crucial Role of License Detection in Open Source Security.
- Continuously track license changes to catch shifts that may affect compliance or IP exposure.
- Block or review components with restrictive or viral licenses before they enter the codebase.
- Maintain a clear inventory of all licenses in use to simplify audits and risk assessments.
3. SBOM Data Gaps or Missing SBOMs
While regulations mandate sharing SBOMs, a high-level list is insufficient. Detailed data points, including the author, contributors, release frequency, and maintenance status, are needed for effective mitigation and prevention.
Best practices:
- Enhance SBOM reports by rescanning components to enrich them with updated license data, vulnerability status, and other critical metadata. A detailed example of how to do this is outlined here under CycloneDX SBOM Report Validation and Enrichment.
- Validate and enrich SBOMs using automated tools to ensure the information is complete, accurate, and actionable.
- Require vendors to provide full SBOM depth, including transitive dependencies and all relevant metadata.
- Continuously update and monitor SBOM inventories as components evolve or new vulnerabilities emerge.
4. Third-Party Vendors
Every vendor you rely on becomes part of your supply chain. If they ship outdated or compromised components, you inherit that risk. Complete SBOMs, including transitive dependencies, make it possible to understand your exposure quickly instead of chasing vendors during an incident. A recent post on Managing Dependency Vulnerabilities in Your Software Supply Chain explores how teams can strengthen this part of the process.
5. AI Supply Chain
Due to the rapid adoption of AI, teams are often bypassing normal restrictions, making this a major attack vector. Attackers inject malicious code into machine learning models, PICO files, or open-source libraries. Typosquatting is common in environments like Pytorch, where users might pull the wrong library, which can deliver malware and lead to full remote code execution on an engineer's machine.
6. Container Risk
Scanning containers must evolve beyond focusing only on vulnerabilities. Modern security must also scan for malware, crypto miners, and fast-acting threats published in publicly available container images. A recent analysis of the NVIDIA Container Toolkit CVE-2024-0132 shows how easily these issues can be overlooked.
7. Secrets and Credentials Leakage
When teams move quickly, they often hard-code access keys or credentials in source code for testing. Even if later overwritten, these secrets often remain in Git history where they are easy for attackers to find through scanning. Unmasking Hidden Threats: How to Detect Secrets in Code shows how these exposures happen and what teams can do to prevent them.
The Path to a Secure Software Supply Chain
To counter these threats, security must adopt a "shift left" mentality, meaning the same policies enforced before release should be applied earlier in the development cycle. The goal is to integrate security as an overlay on top of the existing CI/CD pipeline. This automated approach ensures enforcement when necessary, without impacting engineering productivity.
A comprehensive solution must provide:
- Automated supply chain scanning across the pipeline
- Visibility into source code, containers, and vendor-provided files
- Analysis that goes beyond CVEs to detect malware, license issues, and exposed secrets
How OPSWAT Helps Close These Gaps
- Multiscanning to detect malware early in the pipeline
- Integrated CI/CD security gates for GitHub, GitLab, TeamCity, Jenkins, and more
- Automated SBOM generation and vulnerability mapping
- Artifact signing and integrity validation
- Secrets scanning and credential hygiene enforcement
Talk to one of our experts to find tailored solutions for your stack today.
